Security Question - DB Config File Location

Hi, one of my clients has flagged up that it is bad practice to have the DB config file located within the root directory. Their lead developer has said it is good practice to locate the connection/config file outside of the root directory. To demonstrate this he recovered the connection name and password rather too quickly for me :frowning:

Has anyone else had experience of locating this file elsewhere? Or point me in the right direction.
Thanks in advance.

Andy

It depends. It is not so easy to break the root directory which is a security issue by itself. The config file is encrypted so I don’t see the risk actually. You cannot ‘just’ load it into your browser.

Thank you Albert for taking the time to reply.
On this occasion, he recovered the encrypted password, ran it through a common decryption tool and had everything he needed. His point all of this was only possible because the db config file was in the same root directory, otherwise, it would have not been possible.

I can’t believe no one else has come up against this?

That is because your password was too weak and could be recovered using an MD5 tool. Use a strong password, and you should be quite safe. Afaik SC is not offering SHA yet, but I’m not sure.

Actually - yes they do (offer SHA256 & SHA512)